Encapsulating trust
Dicebot via Digitalmars-d
digitalmars-d at puremagic.com
Mon Sep 1 11:31:57 PDT 2014
On Monday, 1 September 2014 at 18:29:32 UTC, Daniel Murphy wrote:
> "monarch_dodra" wrote in message
> news:wvslfmdauwupzioryhgq at forum.dlang.org...
>
>> I meant it mostly in that the proposal to mark the entire
>> function as @trusted isn't even *applicable* to template
>> functions.
>
> That isn't what I was proposing. Using a trusted nested or
> lambda function is fine, but it should not be possible to
> violate @safe by changing only the enclosing function.
>
> eg making a trustedMemcpy is just as much a violation of @safe
> as marking the actual memcpy as @safe. It still relies on the
> calling function being manually verified not to call it
> incorrectly. If your calling function needs to be manually
> verified, it should be @trusted. If it can't be manually
> verified, it should be @system.
Idea is that you move not only actual unsafe operation into
@trusted lambda but also any additional context that makes it
effectively @safe, separating it from the rest of the function.
It is not that trivial to spot though so some mistakes are
inevitable.
More information about the Digitalmars-d
mailing list